Global Russian-Linked Router Malware Even Worse Than Originally Stated

from the Putin-gonna-Putin dept

Late last month, the FBI announced that hackers working for the Russian government had managed to infect roughly 500,000 routers in 54 countries with a particularly-nasty piece of malware known as VPN Filter. The malware, which infected routers from vendors like Linksys, MikroTik, Netgear, TP-Link, and certain network-attached storage devices from companies like QNAP, gave attackers the ability to track a victim's internet usage, launch attacks on other networks, and permanently destroy the devices upon command.

A subsequent Cisco advisory about the malware noted that the infection rate steadily increased since it was first observed sometime in 2016:

"Both the scale and the capability of this operation are concerning. Working with our partners, we estimate the number of infected devices to be at least 500,000 in at least 54 countries...The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols."

A subsequent report by The Daily Beast noted that the FBI had managed to seize a key domain being used to manage the massive botnet of infected devices. The report also managed to obtain an FBI affidavit highlighting that the hacking group behind the malware was none other than Sofacy, aka Fancy Bear, Sednit, and Pawn Storm -- the same Russian-government linked group believed to be behind the 2016 hack of the Democratic National Committee (unless you're one of those folks still clinging to the flimsy narrative that the DNC hacked itself, a claim recent Guccifer 2.0 revelations utterly deflated).

"Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Craig Williams, a senior technology leader and global outreach manager at Talos, told Ars. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device."

The new, updated Cisco analysis is well worth a read for those that are interested, and notes that in addition to being more powerful than originally stated, the malware is also targeting a far larger volume of hardware vendors than originally believed, including gear from ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. The vulnerabilities being exploited that allow VPN Filter to be installed vary from device to device, as do the steps needed to identify whether a router is infected and how to purge it of the malware.

Originally, the FBI issued a statement indicating that owners of potentially-impacted devices simply needed to reboot their routers to thwart the infection, thanks to the FBI's seizure of the controlling ToKnowAll.com domain.

But it's now clear that rebooting alone only temporarily disrupted the botnet, and doesn't purge the infection. The interesting bit: it's incredibly difficult for ordinary end users to even know if their router is infected, meaning that to be safe, users may need to wipe their routers completely and restore them to factory defaults. After that, the standard caveats usually apply: make sure to update your router to the latest firmware, disable remote administration functionality, and make sure you change any default username and password combinations the device may have shipped with.

Re:

Good luck with that.

There's the reliability problem you mention, and then there's the security problem: you can't just pop a card out of the device and reflash it. Realistically you're going to be trusting the software on the router to accept and store the updated image; even the "failsafe" and "bootloader" recovery modes are just software that could have been corrupted by the malware. The only way to really make sure it happens is to crack it open and solder a JTAG connector.

Back to blaming those pesky "Russians"!

the same Russian-government linked group believed to be behind the 2016 hack of the Democratic National Committee

Believed by YOU neo-liberal partisans.

> (unless you're one of those folks still clinging to the flimsy narrative that the DNC hacked itself, a claim recent Guccifer 2.0 revelations utterly deflated)

Who's clinging to THAT "narrative"? (Guccifer 2 is not reliable source, anyway.) The most likely scenario is that DNC Admin tech Seth Rich copied the files. -- Kim Dotcom STATES THIS! -- Seth Rich was murdered! He's definitely dead, but if Techdirt ever even mentioned THAT narrative, a dead guy is just coincidence.

When isn't a Hack a Hack? When it's a Leak

(unless you're one of those folks still clinging to the flimsy narrative that the DNC hacked itself, a claim recent Guccifer 2.0 revelations utterly deflated).

Psst... psst... it wasn't a hack it was a leak.

Italicized/bold text was excerpted from a report titled Guccifer 2.0 NGP/VAN Metadata Analysis found at theforensicator.wordpress.com:

The initial copying activity was likely done from a computer system that had direct access to the data. By “direct access” we mean that the individual who was collecting the data either had physical access to the computer where the data was stored, or the data was copied over a local high speed network (LAN)

Conclusion 7. A transfer rate of 23 MB/s is estimated for this initial file collection operation. This transfer rate can be achieved when files are copied over a LAN or when copying directly from the host computer’s hard drive. This rate is too fast to support the hypothesis that the DNC data was initially copied over the Internet (esp. to Romania).

Italicized/bol d text was excerpted from a report titled Guccifer 2’s West Coast Fingerprint found at theforensicator.wordpress.com:

In the first part of this report, we documented our analysis, which provided support for the conclusion that Guccifer 2 may have been operating out of a GMT+3 time zone region. However, when we place that conclusion against our finding that a document uploaded by Guccifer 2 (in a similar time frame) was likely last saved in a location on the West Coast, US we have to question our GMT+3 findings.

We must now give serious consideration to the idea that all 25 documents (uploaded in three batches over the course of a month) were all generated on the West Coast, US. Guccifer 2 was possibly working on a VM and/or using a VPN that vectored through Romania or Russia. Here is how that shift will look if all 25 files were last saved on the West Coast (PDT).

Forensic studies of “Russian hacking” into Democratic National Committee computers last year reveal that on July 5, 2016, data was leaked (not hacked) by a person with physical access to DNC computer. After examining metadata from the “Guccifer 2.0” July 5, 2016 intrusion into the DNC server, independent cyber investigators have concluded that an insider copied DNC data onto an external storage device.

hahaha

"..still clinging to the flimsy narrative that the DNC hacked itself..."Here's a narrative: What the U.S. gov. tells Americans and the idiotic masses that actually believe the spoon fed bullshit that America is the good guys fighting global villians and doing everything in the name of freedom, democracy, and awesomeness. VS Knowing the truth that America is a Country built on wars, lies, and exploitation. Most of the world doesn't see the Russians as the aggressive evil bad guys that's out to "get" America. Evey time I see crap like this I shake my head. The more the U.S. gov. pushes obvious bullshit propaganda the more idiotic they seem. lolz :)

No talk about the American and Israeli malware on the other hand

Attacking the Russians for some routers to bury the story of the Mossad linked malware on millions of routers placed mostly in the middle-east and Iran that's been there stealing data and spying for at least 6-7 years. No reason to mention that, nope, nice work citizen, Big Brother says you did a good job.